SentinelAudit

Audit logs for operations performed on Azure Sentinel resources, such as Data Connectors, Analytic Rules and more. These logs can be used to audit operations on your Sentinel resources.

Table attributes

Attribute	Value
Resource types	-
Categories	Security, Audit
Solutions	SecurityInsights
Basic log	No
Ingestion-time transformation	No
Sample Queries	Yes

Columns

Column	Type	Description
_BilledSize	real	The record size in bytes
CorrelationId	string	A unique record identifier.
Description	string	The operation description.
ExtendedProperties	dynamic	Additional information based on the resource type.
_IsBillable	string	Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
OperationName	string	The name of the operation that triggered the event.
SentinelResourceId	string	The Sentinel resource ID.
SentinelResourceKind	string	The resource kind, for example: connector kind (such as Office365, AmazonWebServicesCloudTrail), alert rule kind (scheduld).
SentinelResourceName	string	The Sentinel resource name.
SentinelResourceType	string	The resource type, for example: DataConnector, AlertRule, etc.
SourceSystem	string	The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
Status	string	Status of the operation, for example: Success, Failure, Warning, Informational, Partial Success.
TenantId	string	The Log Analytics workspace ID
TimeGenerated	datetime	The timestamp (UTC) of when the event was generated.
Type	string	The name of the table
WorkspaceId	string	The workspace ID.